Chapter 2 1 authentication passwords
Download
1 / 72

Chapter 2.1 Authentication: Passwords - PowerPoint PPT Presentation


  • 87 Views
  • Uploaded on

Chapter 2.1 Authentication: Passwords. Password File in Ubuntu Linux. The password file is /etc/passwd, and it is the database file for all users on the system. The format of each line is as follows: username:password:uid:gid:gecos:homedir:shell

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Chapter 2.1 Authentication: Passwords' - imelda


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 2 1 authentication passwords

Chapter 2.1 Authentication: Passwords


Password file in ubuntu linux
Password File in Ubuntu Linux

  • The password file is /etc/passwd, and it is the database file for all users on the system. The format of each line is as follows:

    username:password:uid:gid:gecos:homedir:shell

    The gecos field is for miscellaneous information about the user, such as the users’ full name, office location, office and home phone numbers, and possibly a brief text message.

  • We will concentrate on Ubuntu Linux.

  • Other operating systems, while sharing many of the same properties as Ubuntu, need to be researched for specific information for them.


A sample password file
A Sample Password File

http://cs.hiram.edu/~obie/cpsc35200/slides/passwd file EX.txt


The gecos field
The Gecos Field

  • For security and privacy reasons, the gecos field is little used now.

  • However, a system administrator should be aware of its existence because the gecos field is used by traditional UNIX programs such as finger and mail.

  • For that reason, it is commonly referred to as the finger information field.

  • The data in this field is comma delimited.

  • The gecos field can be changed with the cgfn (change finger) command.


  • A colon separates all fields in the /etc/passwd file.

  • If no information is available for a field, that field is empty, but all the colons remain.

  • If an asterisk appears in the password field, that user will not be permitted to log on.

  • Why does this feature exist? (Don’t peek on next slide!)


When is the an asterisk used
When is the an Asterisk Used?

  • So that a user can be easily disabled and (possibly) reinstated later without having to be created all over again.

  • The system administrator manually edits this field, which is the traditional UNIX way of accomplishing this task.

  • Ubuntu provides improved functionality with the passwd -l command i.e. an account can be locked.


Pseudo users
Pseudo-users

  • Several services run as pseudo-users, usually with root permissions.

  • These are usually called the system, or logical, users .

  • You would not want these accounts available for general login for security reasons, so they are assigned /sbin/nologin as their shell, which prohibits any logins from those “users.”


Shadow passwords
Shadow Passwords

  • Note that all the password fields do not show a password, but contain an x.

  • The x in each record specifies these are shadow passwords, a useful security enhancement to Linux.

  • The file /etc/passwd must be readable in order to allow certain operations to take place.

  • But, then anyone with read access can run a cracking program on the file and obtain the passwords with little trouble.

  • In addition to the /etc/passwd file which is readable, a shadow file is kept.


Shadow passwords1
Shadow Passwords

  • Shadow passwords are used so that only an x appears in the password field of /etc/passwd.

  • The real passwords are kept in /etc/shadow, a file that can only be read or written to by the sysadmin.

  • Special versions of the traditional password and login programs must be used to enable shadow passwords.

  • Shadow passwords are automatically enabled during the installation phase of the operating system on Ubuntu systems.


Sample shadow file companion to previous passwd file
Sample Shadow File(companion to previous passwd file)

  • http://cs.hiram.edu/~obie/cpsc35200/slides/shadow file EX.txt

    The fields are separated by colons and are, in order:

  • The user’s login name.

  • The encrypted password for the user.

  • The number of days since January 1, 1970 that the password was last changed. This date is known in UNIX circles as the epoch.


  • The number of days before the password can be changed (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).

  • The number of days after which the password must be changed. This can be set to force the change of a newly issued password known to the system administrator.

  • The number of days before the password expiration that the user is warned it will expire.

  • The number of days after the password expires that the account is disabled (for security).

  • The number of days since January 1, 1970 that account has been disabled.

  • The final field is a “reserved” field and is not currently allocated for any use.

  • The number of days before the password can be changed (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).

  • The number of days after which the password must be changed. This can be set to force the change of a newly issued password known to the system administrator.

  • The number of days before the password expiration that the user is warned it will expire.

  • The number of days after the password expires that the account is disabled (for security).

  • The number of days since January 1, 1970 that account has been disabled.

  • The final field is a “reserved” field and is not currently allocated for any use.


  • P (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).assword expiration dates and warnings are disabled by default in Ubuntu. These features are not used on home systems and usually not used for small offices. It is the sysadmin’s responsibility to establish and enforce password expiration policies.

  • The permissions on the /etc/shadow file should be set so that it is not writable or readable by regular users: The permissions should be 600.


File permissions in linux
File Permissions in Linux (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).

  • Sample output produced by 'ls -l' :

    drwx------ 2 richard staff 2048 Jan 2 1997 private

    drwxrws--- 2 richard staff 2048 Jan 2 1997 admin

    -rw-rw---- 2 richard staff 12040 Aug 20 1996 admin/userinfo

    drwxr-xr-x 3 richard user 2048 May 13 09:27 public

    Field 1: a set of ten permission flags. Field 2: link count Field 3: owner of the fileField 4: associated group for the fileField 5: size in bytesField 6-8: date of last modification (format varies, but always 3 fields)Field 9: name of file (possibly with path, depending on how ls was called)


The permission flags are read as follows (left to right) (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).

Thus, 600 on shadow file means

Owner can read and write, but no one else can because 600 = 110 (base 2)

i.e. bits 2 and 3 are set.


Hacker mixed meanings
Hacker – Mixed Meanings (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).

  • Traditionally, it was believed that hackers liked to

    • tinker with software or electronic systems.

    • explore and learn how computer systems operate.

    • discover new ways to work — both mechanically and electronically.

    • i.e. they were super programmers and systems people.

  • In recent years, hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain.

  • Technically, these criminals are crackers (criminal hackers).

  • Crackers break into, or crack, systems with malicious intent.

  • They are out for personal gain, fame, profit, or even revenge.

  • They modify, delete, and steal critical information, often making other people miserable.


Hacker mixed meanings1
Hacker – Mixed Meanings (prevents changing a password and then changing it back to the old password right away—a dangerous security practice).

The good hackers (white hats) don’t like being in the same category as the bad hackers (black hats).

Note: The white hat and black hat terms were used in old Western TV and film shows in which the good guys wore white cowboy hats and the bad guys wore black cowboy hats.

Gray hat hackers are a little bit of both.

Whatever the case, most people have a negative

connotation for the word hacker.



Malicious users but instead help are typically a rogue employee, contractor, intern, or other user who abuses his or her privileges.

It is a common term used in security circles and in headlines about information breaches.

A long-standing statistic states that insiders carry out 80% of all security breaches.


Malicious users often don’t have to hack their systems. but instead help

They obtain privileges because they are, say, an intern or temporary employee, or they shoulder surfed another person with privileges.

Don’t forget that here is the ignorant insider also whose intent is not malicious but who still causes security problems by moving, deleting, or corrupting sensitive information.


Ethical hacking
Ethical Hacking but instead help

One defense against a hacker is to be, to become, or hire an ethical hacker.

An ethical hacker possesses the skills, mindset, and tools of a hacker, but is completely trustworthy.

Ethical hackers perform hacks as security tests for by permission based on how hackers might work.


Terminology not standardized
Terminology – not Standardized but instead help

  • Hackers (or external attackers) try to compromise computers and sensitive information for ill-gotten gains — usually from the outside — as an unauthorized user.

  • Hackers go for almost any system they think they can compromise.

  • Some prefer prestigious, well-protected systems, but hacking into anyone’s system increases an attacker’s status in hacker circles.


Terminology not standardized1
Terminology – not Standardized but instead help

  • Malicious internal users (or internal attackers) try to compromise computers and sensitive information from the inside as authorized and “trusted” users.

  • Malicious users go for systems they believe they can compromise.

  • They typically hack for financial gains or revenge.

  • Malicious attackers are, generally speaking, both hackers and malicious users.

  • For the sake of simplicity, we will refer to both as hackers and specify hacker or malicious user only when I need to distinguish.


Terminology not standardized2
Terminology – not Standardized but instead help

Ethical hackers hack systems to discover vulnerabilities to protect against unauthorized access, abuse, and misuse.

They have the permission of the owner of a system to hack it.


Cracking or password hacking
Cracking or Password Hacking but instead help

Cracking is one of the easiest and most common high tech methods used by hackers to obtain unauthorized computer or network access.

Strong passwords are easy to create and maintain, but many users often neglect them

So, passwords are one of the weakest links in the security chain.

Passwords rely on secrecy – once compromised for one use, the hacker has physical access to a sytem.


Obtaining passwords
Obtaining Passwords but instead help

  • There are many low techways to obtain passwords and a hacker will often try several of them:

    • Social engineering

    • Shoulder surfing

    • Inference or guessing

    • Weak authentication on older systems like Windows 9x and Me which didn’t require passwords

    • Bypassing authentication– some older systems let an ESC suffice for a password.

    • Password cracking software on a local system.

    • Remote cracking software for cracking over a network.


Password vulnerabilities
Password Vulnerabilities but instead help

  • Normally, considering the cost and value of the to be protected information, the combination of the username and password is adequate.

  • However, passwords give a false sense of security.

  • One problem is that many users share their passwords. So, the sys admin may not even know who is using the account.

  • Before the Internet, one added measure of protection was that computers were physically locked up.


Password vulnerabilities1
Password Vulnerabilities but instead help

  • Today, the following are viewed as password vulnerabilities:

    • Organizational or end user vulnerabilities

      • i.e. lack of password awareness by end users

      • i.e. lack password policies that are strictly enforced.

    • Technical vulnerabilities

      • Weak encryption methods

      • Insecure storage of passwords on the computer


Organizational password vulnerabilities
Organizational Password Vulnerabilities but instead help

  • Unless a policy is formulated and enforced, many users will choose passwords that are

    • Weak and easy to guess

    • Seldom changed

    • Reused for other systems

    • Written in nonsecure places


Technical password vulnerabilities
Technical Password Vulnerabilities but instead help

  • Software that stores passwords in memory or easily accessed databases

  • End user applications that display passwords on the screen

  • Unencrypted email giving you your username and password for an account

  • See a data base of vulnerabilities.


Password cracking thrills many
Password Cracking Thrills Many but instead help

  • Unfortunately.

  • It fuels hackers’ sense of exploration and puzzle solving.

  • Interestingly, most hackers are males.

  • Start your hack by obtaining a password on the system you are attacking.

  • Start with the hardest to obtain – root’s

  • Look for a guest or user account.

  • Try for the root password or passwords for individuals on the system that can use su – i.e. go superuser

  • But, any user/password pair will do.


High tech password cracking
High-tech Password Cracking but instead help

  • Uses a cracking program that tries to guess a password by determining all password combinations.

  • They can be configured to try to crack in a certain order that the user defines, based on some local knowledge – i.e. only the first 8 characters of a password are checked.


Cracking software
Cracking Software but instead help

  • A hacker would try to crack your organization's operating system and application passwords with various password cracking tools:

    pwdump3 (www.openwall.com/passwords/dl/pwdump/) extracts Windows password hashes from the SAM database.

    john the Ripper (www.openwall.com/john) cracks hashed UNIX and Windows passwords.

    Proactive Password Auditor (www.elcomsoft.com/ppa.html) runs brute‐force, dictionary, and rainbow cracks against extracted LM and NTLM password hashes.

    Cain and Abel (www.oxid.it/cain.html) cracks LM and NT LanManager (NTLM) hashes, Windows PWL passwords, Cisco IOS and PIX hashes, VNC passwords, RADIUS hashes, and more.


  • RainbowCrack but instead help (www.antsight.com/zsl/rainbowcrack) cracks LanManager (LM) and MD5 hashes very quickly by using rainbow tables.

  • Elcomsoft Distributed Password Recovery (www.elcomsoft.com/edpr.html) cracks Microsoft Office, PGP, and PKCS passwords in a distributed fashion using up to 2,500 networked computers at once.

  • Proactive System Password Recovery (www.elcomsoft.com/pspr.html) recovers practically any locally stored Windows password, such as logon passwords, WEP/WPA passphrases, SYSKEY passwords, RAS/dialup/VPN passwords, and more.

  • chknull (www.phreak.org/archives/exploits/novell) checks for Novell NetWare accounts with no password.

  • Pandora (www.nmrc.org/project/pandora) cracks Novell NetWare passwords online and offline.


  • Some of these tools require physical access to the but instead help systems being tested.

  • If a hacker can obtain physical access to your systems and password files, don’t you have more than just basic information security problems to worry about?

  • But this kind of access is entirely possible! What about a summer intern, a disgruntled employee, or an outside consultant with malicious intent?

  • Of course a legit use would be for the sys admin to check for poor passwords on the system.


  • Password‐cracking utilities take a set of known passwords and run them through a password hashing algorithm.

  • The resulting encrypted hashes are then compared at lightning speed to the password hashes extracted from the original password database.

  • When a match is found between the newly generated hash and the hash in the original database, the password has been cracked.

  • It's that simple.


What are rainbow table cracks
What are Rainbow Table Cracks? and run them through a password

  • A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes.

  • Tables are usually used in recovering the plaintext password, up to a certain length consisting of a limited set of characters.

  • It is a form of time-memory tradeoff, using less CPU at the cost of more storage. Functionsemploy salt to make this attack infeasible.


Use of salts
Use of salts and run them through a password

  • A salt consists of random bits, as one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users.

  • Certain passwords such as those in Linux have a “salt” value added to them to create a degree of randomness. Why?

  • This prevents the same password from being used by two different people having the same hash value.


Salting the password table
Salting the Password Table and run them through a password

  • Password table contains:

    • Salt value = plre

    • h(password+salt) = h(baseballplre) = FSXMXFNB


Salting the password table cont
Salting the Password Table (cont) and run them through a password

  • User enters username and password

  • The operating system combines the password and the salt and hashes the result

  • The operating system compares the result to the entry in the table

  • Match = user is assigned the corresponding uid

  • Advantages:

    • Password table does not have to be protected

    • Dictionary attacks are much harder


  • Other password cracking programs simply attempt to log on using a predefined set of user IDs and passwords.

  • This is how many dictionary‐based cracking tools, such as Brutus

    (http://securitylab.ru/_tools/brutus-aet2.zip)

    and SQLPing2 (www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx), work.

  • We will cover cracking Web application and database password cracking later.

  • Passwords that are subjected to cracking tools eventually lose.

  • These tools can be used for both legitimate audits and malicious attacks.

  • You want to audit your passwords before the hackers do.


Encryption
Encryption using a predefined set of user IDs and passwords.

  • Passwords are typically encrypted when they're stored on a computer, using an encryption or one‐way hash algorithm such as DES or MD5.

  • Hashed passwords are then represented as fixed‐length encrypted strings that always represent the same passwords with exactly the same strings.

  • These hashes are irreversible for all practical purposes, so, in theory, passwords can never be decrypted.


Password storage locations windows
Password Storage Locations using a predefined set of user IDs and passwords. Windows

  • These vary by operating system:

  • Windows usually stores passwords in these locations:

    • Security Accounts Manager (SAM) database (c:\winnt\system32\config)

    • Active Directory database file that's stored locally or spread across domain controllers (ntds.dit)

  • Windows sometimes stores passwords in either a backup of the SAM file in the c:\winnt\repair directory or on an emergency repair disk.

  • Some Windows applications store passwords in the Registry or as plain‐text files on the hard drive!


Password storage locations unix variants
Password Storage Locations using a predefined set of user IDs and passwords. Unix Variants

  • Linux and other UNIX variants typically store passwords in these files:

    • /etc/passwd (readable by everyone)

    • /etc/shadow (accessible by the system and the root account only)

    • /etc/security/passwd (accessible by the system and the root account only)

    • /.secure/etc/passwd (accessible by the system and the root account only)


Attacks on passwords
Attacks on Passwords using a predefined set of user IDs and passwords.

  • Attacker could…

    • Target one particular account

    • Target any account on system

    • Target any account on any system

    • Attempt denial of service (DoS) attack

  • Common attack path

    • Outsider  normal user  administrator

    • May only require one weak password!


Types of attacks
Types of Attacks using a predefined set of user IDs and passwords.

  • There are three high‐tech password‐cracking methods

    • dictionary attacks,

    • brute‐force attacks, and

    • rainbow attacks.


Dictionary attacks
Dictionary using a predefined set of user IDs and passwords. Attacks

  • Dictionary attacks quickly compare a set of known dictionary‐type words — including many common passwords — against a password database.

  • This database is a text file with hundreds if not thousands of “dictionary” words typically listed in alphabetical order.

  • For instance, suppose that you have a dictionary file that you downloaded from one of the sites in the list specified latter..

  • The English dictionary file at the Purdue site contains one word per line starting with 10th, 1st . . . all the way to zygote.


A dictionary attack
A Dictionary Attack using a predefined set of user IDs and passwords.

  • An attacker can compile a dictionary of several thousand common words and compute the hash for each one:

  • Look for matches between the dictionary and the password table

    • Example: WSAWFFVI tells us Bob’s password is baseball


Wordlists
WordLists using a predefined set of user IDs and passwords.

  • Many password‐cracking utilities can use a separate dictionary that you create or download from the Internet. Here are some popular sites that house dictionary files and other miscellaneous word lists:

  • ftp://ftp.cerias.purdue.edu/pub/dict

  • ftp://ftp.ox.ac.uk/pub/wordlists

  • packetstormsecurity.nl/Crackers/wordlists

  • www.outpost9.com/files/WordLists.html


Dictionary attacks cont
Dictionary Attacks (cont) using a predefined set of user IDs and passwords.

  • Dictionary attacks are a serious problem:

    • Costs an intruder very little to send tens of thousands of common words through the one-way function and check for matches

    • Between 20 and 40 percent of the passwords on a typical system can be cracked in this way

  • Solution #1: don’t allow users to select their own passwords

    • System generates a random password for each user

    • Drawback:

      • Many people find system-assigned passwords hard to remember and therefore they write them down

      • Example: L8f#n!.5rH’

    • You can find huge numbers of post-it notes on screens, under keyboards, and in top drawers of desks that contain passwords!


  • You'll using a predefined set of user IDs and passwords. may need to try manylists to increase your chances of cracking the password.

  • Don't forget to use other language files as well, such as Spanish and Klingon.

  • Dictionary attacks are only as good as the dictionary files you supply your password‐cracking program.

  • Most dictionary attacks are good for weak (easily guessed) passwords.

  • However, some special dictionaries have common misspellings or alternate spellings of words — such as pa$$w0rd (password) and 5ecur1ty (security) — non‐English words, and thematic words from religions, politics, or Star Trek.


Password cracking
Password Cracking using a predefined set of user IDs and passwords.

  • Attack any of 1024 passwords in file

  • With dictionary

    • Probability at least one password is in dictionary is 1 - (3/4)1024 = 1

    • We ignore case where no pwd is in dictionary

    • If no salt, work is about 219/210 = 29

    • If salt, expected work is less than 222

    • Note: If no salt, we can precompute all dictionary hashes and amortize the work


Dictionary attacks cont1
Dictionary Attacks (cont) using a predefined set of user IDs and passwords.

  • Dictionary attacks are a serious problem:

    • Costs an intruder very little to send tens of thousands of common words through the one-way function and check for matches

    • Between 20 and 40 percent of the passwords on a typical system can be cracked in this way

  • Solution #1: don’t allow users to select their own passwords

    • System generates a random password for each user

    • Drawback:

      • Many people find system-assigned passwords hard to remember and therefore they write them down

      • Example: L8f#n!.5rH’

    • You can find huge numbers of post-it notes on screens, under keyboards, and in top drawers of desks that contain passwords!


Combating dictionary attacks
Combating Dictionary Attacks using a predefined set of user IDs and passwords.

  • Solution #2: password checking

    • Allow users to choose their own passwords

    • Do not allow them to use passwords that are in a common dictionary

  • Solution #3: salt the password table

    • A salt is a random string that is concatenated with a password before sending it through the one-way hash function

      • Random salt value chosen by system

        • Example: plre

      • Password chosen by user

        • Example: baseball



Brute force attacks
Brute-force Attacks second

Brute‐force attacks can crack practically any password, given sufficient time.

Brute‐force attacks try every combination of numbers, letters, and special characters until the password is discovered.

Many password‐cracking utilities let you specify such testing criteria as the character sets, password length to try, and known characters (for a “mask” attack).


Password retry
Password Retry second

  • Suppose system locks after 3 bad passwords. How long should it lock?

    • 5 seconds

    • 5 minutes

    • Until SA restores service

  • What are +’s and -’s of each?


Using passwords and one way functions
Using Passwords and One-Way Functions second

  • User’s password is not stored in the table

  • A one-way hash* of the password, h(password), is stored in the table

    • h(dumptruck) = JFNXPEMD

    • h(baseball) = WSAWFFVI

      * hash is just a fancy word for a function or method that has few collisions and cannot be reversed. – i.e. no inverse function exists.


Using passwords and one way functions1
Using Passwords and One-Way Functions second

  • User’s password is not stored in the table

  • A one-way hash* of the password, h(password), is stored in the table

    • h(dumptruck) = JFNXPEMD

    • h(baseball) = WSAWFFVI

      * hash is just a fancy word for a function or method that has few collisions and cannot be reversed. – i.e. no inverse function exists.


Locked accounts after x tries
Locked Accounts After X Tries second

  • Smart hackers attempt logins slowly or at random times so the failed login attempts aren't as predictable or obvious in the system log files.

  • Some malicious users may even call the IT help desk to attempt a reset of the account they've just locked out.

  • This social‐engineering technique could be a major issue, especially if the organization has no or minimal mechanisms in place to verify that locked‐out users are who they say they are.


  • After a second password is changed, the cracking must start again if the hacker wants to test all the possible combinations.

  • This is one reason why passwords must be changed periodically.

  • Shortening the change interval can reduce the risk of passwords being crackedunless users write down the changed ones because they can’t remember all of them.


  • Most passwords are fairly weak. second

  • Even minimum password requirements, such as a password length, can help you in your testing. You may be able to discover security policy information by using other tools and techniques to hack operating systems) and configure your cracking programs with more defined cracking parameters, which often generates faster results.


Rainbow attacks
Rainbow Attacks second

  • A rainbow password attack uses rainbow tables — as previously described .

  • There was an experiment, “A case study in Windows password vulnerabilities with Philippe Oechslin”, — to crack various password hashes for LM, NTLM, Cisco PIX, MD5, and others much more quickly and with extremely high success rates (near 100%).

  • Password‐cracking speed is increased in a rainbow attack because the hashes are precalculated and, thus, don't have to be generated individually on the fly as they are with dictionary and brute‐force cracking methods.


Security files and utilities
Security Files and Utilities second

  • Linux provides several methods for safeguarding or controlling the login process:

    • The root user can only log in from terminals that are listed in the file /etc/securetty

    • If the /etc/nologin file exists, only root can log in at that time and when this file is deleted, all users can log in again

    • Executable files can have a special file permission set (the Set UID bit, or SUID) that causes them to take on the permissions of the user who owns the file rather than the user who executed the file


Security files and utilities1
Security Files and Utilities second

  • Linux provides several methods for safeguarding or controlling the login process:

    • The root user can only log in from terminals that are listed in the file /etc/securetty

    • If the /etc/nologin file exists, only root can log in at that time and when this file is deleted, all users can log in again

    • Executable files can have a special file permission set (the Set UID bit, or SUID) that causes them to take on the permissions of the user who owns the file rather than the user who executed the file


Security files and utilities2
Security Files and Utilities second

  • More Linux-provided security methods:

    • The Linux file systems support a number of attributes that can be set on any file

    • The PAM module pam_time can be used with the login program to limit when a user can log in

    • If the standard bash shell for Linux is running, an environment variable can be set which will log a user out after a certain number of idle seconds

    • In the tsch shell, an environment variable accomplishes the same thing, but in a matter of minutes, not seconds



Password experiment
Password Experiment second

  • A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived

    Example: Alice loves Bob and Bob loves Trudy!

    AlBaBlT!

  • Three groups of users --- each group advised to select passwords as follows

    • Group A: At least 6 chars, 1 non-letter

    • Group B: Password based on passphrase

    • Group C: 8 random characters

  • Results

    • Group A: About 30% of pwds easy to crack

    • Group B: About 10% cracked

      • Passwords easy to remember

    • Group C: About 10% cracked

      • Passwords hard to remember

winner 


Password experiment1
Password Experiment second

  • A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived

    Example: Alice loves Bob and Bob loves Trudy!

    AlBaBlT!

  • Three groups of users --- each group advised to select passwords as follows

    • Group A: At least 6 chars, 1 non-letter

    • Group B: Password based on passphrase

    • Group C: 8 random characters

  • Results

    • Group A: About 30% of pwds easy to crack

    • Group B: About 10% cracked

      • Passwords easy to remember

    • Group C: About 10% cracked

      • Passwords hard to remember

winner 


Password experiment2
Password Experiment second

  • User compliance hard to achieve

  • In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!)

  • Assigned passwords sometimes best

  • If passwords not assigned, best advice is

    • Choose passwords based on passphrase

    • Use pwd cracking tool to test for weak pwds

    • Require periodic password changes.


Password experiment3
Password Experiment second

  • User compliance hard to achieve

  • In each case, 1/3rd did not comply (and about 1/3rd of those easy to crack!)

  • Assigned passwords sometimes best

  • If passwords not assigned, best advice is

    • Choose passwords based on passphrase

    • Use pwd cracking tool to test for weak pwds

    • Require periodic password changes?


Passwords
Passwords second

  • The bottom line

  • Password cracking is too easy!

    • One weak password may break security

    • Users choose bad passwords

    • Social engineering attacks, etc.

  • The bad guy has all of the advantages

  • All of the math favors bad guys

  • Passwords are a big security problem


Just announced sept 13
Just Announced Sept 13 second

  • IDG News Service - Nearly seven months after Intel shelled out $7.68 billion for antivirus vendor McAfee, the two companies are offering a glimpse of their future.

  • At the Intel Developer Forum in San Francisco Tuesday, McAfee providdean early look of its new effort to build security protections outside of the OS, using Intel's chip-level hooks that allow McAfee's Endpoint Protection Software to get a better look at malicious software such as rootkits.


ad